ID CVE-2015-5300
Summary The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherwise by responding to an unspecified number of requests from trusted sources, and leveraging a resulting denial of service (abort and restart).
References
Vulnerable Configurations
  • Fedora 21
    cpe:2.3:o:fedoraproject:fedora:21
  • Fedora 22
    cpe:2.3:o:fedoraproject:fedora:22
  • SUSE Linux Enterprise Debuginfo 11 Service Pack 2
    cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2
  • SUSE Linux Enterprise Debuginfo 11 Service Pack 3
    cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp3
  • SUSE Linux Enterprise Debuginfo 11 Service Pack 4
    cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4
  • openSUSE Leap 42.1
    cpe:2.3:o:opensuse:leap:42.1
  • OpenSUSE 13.2
    cpe:2.3:o:opensuse:opensuse:13.2
  • SUSE Linux Enterprise Desktop 12
    cpe:2.3:o:suse:linux_enterprise_desktop:12
  • SUSE Linux Enterprise Desktop 12 Service Pack 1
    cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1
  • SUSE Linux Enterprise Server 10 Service Pack 4 Long Term Service Pack Support
    cpe:2.3:o:suse:linux_enterprise_server:10:sp4:-:-:ltss
  • SUSE Linux Enterprise Server 11 Service Pack 2 Long Term Service Pack Support
    cpe:2.3:o:suse:linux_enterprise_server:11:sp2:-:-:ltss
  • cpe:2.3:o:suse:linux_enterprise_server:11:sp3:-:-:ltss
    cpe:2.3:o:suse:linux_enterprise_server:11:sp3:-:-:ltss
  • SUSE Linux Enterprise Server 11 Service Pack 4
    cpe:2.3:o:suse:linux_enterprise_server:11:sp4
  • SUSE Linux Enterprise Server 12 Service Pack 1
    cpe:2.3:o:suse:linux_enterprise_server:12:sp1
  • SUSE Linux Enterprise Software Development Kit (SDK) 12
    cpe:2.3:o:suse:linux_enterprise_software_development_kit:12
  • SUSE Linux Enterprise Software Development Kit (SDK) 12 Service Pack 1
    cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1
  • cpe:2.3:o:suse:manager:2.1
    cpe:2.3:o:suse:manager:2.1
  • cpe:2.3:o:suse:manager_proxy:2.1
    cpe:2.3:o:suse:manager_proxy:2.1
  • cpe:2.3:o:suse:openstack_cloud:5
    cpe:2.3:o:suse:openstack_cloud:5
  • SUSE Linux Enterprise Server (SLES) 12
    cpe:2.3:o:suse:suse_linux_enterprise_server:12
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux HPC Node 6.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0
  • RedHat Enterprise Linux HPC Node 7.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.1
    cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.1
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7.z
    cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7.z
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.1
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.1
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.04
    cpe:2.3:o:canonical:ubuntu_linux:15.04
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • NTP 4.2.8 Patch 4
    cpe:2.3:a:ntp:ntp:4.2.8:p4
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-361
CAPEC
  • Session Credential Falsification through Forging
    An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
  • Session Fixation
    The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.
nessus via4
  • NASL family Firewalls
    NASL id PFSENSE_SA-16_02.NASL
    description According to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 106499
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106499
    title pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)
  • NASL family Misc.
    NASL id NTP_4_2_8P5.NASL
    description The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p5. It is, therefore, affected by the following vulnerability : - he panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherwise by responding to an unspecified number of requests from trusted sources, and leveraging a resulting denial of service (abort and restart). (CVE-2015-7691)
    last seen 2019-02-21
    modified 2019-01-22
    plugin id 121311
    published 2019-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121311
    title Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p5 Denial Of Service Vulnerability
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1311-1.NASL
    description This network time protocol server ntp was updated to 4.2.8p6 to fix the following issues : Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes : - The 'sntp' commandline tool changed its option handling in a major way. - 'controlkey 1' is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted. Other functional changes : - ntp-signd is installed. - 'enable mode7' can be added to the configuration to allow ntdpc to work as compatibility mode option. - 'kod' was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys. These security issues were fixed : - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91248
    published 2016-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91248
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1247-1.NASL
    description ntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes : - The 'sntp' commandline tool changed its option handling in a major way, some options have been renamed or dropped. - 'controlkey 1' is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted. Other functional changes : - ntp-signd is installed. - 'enable mode7' can be added to the configuration to allow ntdpc to work as compatibility mode option. - 'kod' was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90991
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90991
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-649.NASL
    description This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (boo#957226). - Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. (fate#320758). - Fix ntp-sntp-dst.patch (boo#975496). - Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. (boo#962318) - Speedup ntpq (boo#782060, ntp-speedup-ntpq.patch). - Sync service files with openSUSE Factory. - Fix the TZ offset output of sntp during DST (boo#951559). - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - Update to 4.2.8p6 : - CVE-2015-8158, boo#962966: Potential Infinite Loop in ntpq. - CVE-2015-8138, boo#963002: origin: Zero Origin Timestamp Bypass. - CVE-2015-7979, boo#962784: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. - CVE-2015-7978, boo#963000: Stack exhaustion in recursive traversal of restriction list. - CVE-2015-7977, boo#962970: reslist NULL pointer dereference. - CVE-2015-7976, boo#962802: ntpq saveconfig command allows dangerous characters in filenames. - CVE-2015-7975, boo#962988: nextvar() missing length check. - CVE-2015-7974, boo#962960: Skeleton Key: Missing key check allows impersonation between authenticated peers. - CVE-2015-7973, boo#962995: Deja Vu: Replay attack on authenticated broadcast mode. - CVE-2015-8140: ntpq vulnerable to replay attacks. - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. - CVE-2015-5300, boo#951629: Small-step/Big-step. - Add /var/db/ntp-kod (boo#916617). - Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems (boo#956773). - add ntp.bug2965.diff (boo#954982) - fixes regression in 4.2.8p4 update - Update to 4.2.8p4 to fix several security issues (boo#951608) : - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values - CVE-2015-7854: Password Length Memory Corruption Vulnerability - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow - CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability - CVE-2015-7851 saveconfig Directory Traversal Vulnerability - CVE-2015-7850 remote config logfile-keyfile - CVE-2015-7849 trusted key use-after-free - CVE-2015-7848 mode 7 loop counter underrun - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC - CVE-2015-7703 configuration directives 'pidfile' and 'driftfile' should only be allowed locally - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks - obsoletes ntp-memlock.patch. - Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq. - Temporarily disable memlock to avoid problems due to high memory usage during name resolution (boo#946386, ntp-memlock.patch). - Use SHA1 instead of MD5 for symmetric keys (boo#905885). - Improve runtime configuration : - Read keytype from ntp.conf - Don't write ntp keys to syslog. - Fix legacy action scripts to pass on command line arguments. - Remove ntp.1.gz, it wasn't installed anymore. - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. The rest is partially irrelevant, partially redundant and potentially outdated (boo#942587). - Remove 'kod' from the restrict line in ntp.conf (boo#944300). - Use ntpq instead of deprecated ntpdc in start-ntpd (boo#936327). - Add a controlkey to ntp.conf to make the above work. - Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser. - Disable mode 7 (ntpdc) again, now that we don't use it anymore. - Add 'addserver' as a new legacy action. - Fix the comment regarding addserver in ntp.conf (boo#910063). - Update to version 4.2.8p3 which incorporates all security fixes and most other patches we have so far (fate#319040). More information on: http://archive.ntp.org/ntp4/ChangeLog-stable - Disable chroot by default (boo#926510). - Enable ntpdc for backwards compatibility (boo#920238). - Security fix: ntp-keygen may generate non-random symmetric keys
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 91403
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91403
    title openSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0140.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704) - allow only one step larger than panic threshold with -g (CVE-2015-5300)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 86613
    published 2015-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86613
    title OracleVM 3.3 : ntp (OVMSA-2015-0140)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2783-1.NASL
    description Aleksis Kauppinen discovered that NTP incorrectly handled certain remote config packets. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5146) Miroslav Lichvar discovered that NTP incorrectly handled logconfig directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5194) Miroslav Lichvar discovered that NTP incorrectly handled certain statistics types. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5195) Miroslav Lichvar discovered that NTP incorrectly handled certain file paths. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or overwrite certain files. (CVE-2015-5196, CVE-2015-7703) Miroslav Lichvar discovered that NTP incorrectly handled certain packets. A remote attacker could possibly use this issue to cause NTP to hang, resulting in a denial of service. (CVE-2015-5219) Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP incorrectly handled restarting after hitting a panic threshold. A remote attacker could possibly use this issue to alter the system time on clients. (CVE-2015-5300) It was discovered that NTP incorrectly handled autokey data packets. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) It was discovered that NTP incorrectly handled memory when processing certain autokey messages. A remote attacker could possibly use this issue to cause NTP to consume memory, resulting in a denial of service. (CVE-2015-7701) Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP incorrectly handled rate limiting. A remote attacker could possibly use this issue to cause clients to stop updating their clock. (CVE-2015-7704, CVE-2015-7705) Yves Younan discovered that NTP incorrectly handled logfile and keyfile directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to enter a loop, resulting in a denial of service. (CVE-2015-7850) Yves Younan and Aleksander Nikolich discovered that NTP incorrectly handled ascii conversion. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7852) Yves Younan discovered that NTP incorrectly handled reference clock memory. A malicious refclock could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7853) John D 'Doug' Birdwell discovered that NTP incorrectly handled decoding certain bogus values. An attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7855) Stephen Gray discovered that NTP incorrectly handled symmetric association authentication. A remote attacker could use this issue to possibly bypass authentication and alter the system clock. (CVE-2015-7871) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86630
    published 2015-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86630
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : ntp vulnerabilities (USN-2783-1)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX220112.NASL
    description The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by the following vulnerabilities : - A man-in-the-middle (MitM) vulnerability exists in the NTP component due to an improperly implemented threshold limitation for the '-g' option. A man-in-the-middle attacker can exploit this to intercept NTP traffic and return arbitrary date and time values to users. This vulnerability is only applicable if NTP is enabled. (CVE-2015-5300) - A denial of service vulnerability exists in the NTP component due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. This vulnerability is only applicable if NTP is enabled. (CVE-2015-7704) - A denial of service vulnerability exists in the NTP component due to improper implementation of rate-limiting when handling server queries. An unauthenticated, remote attacker can exploit this to stop the client from querying its servers, preventing it from updating its clock. This vulnerability is only applicable if NTP is enabled. (CVE-2015-7705) - An unspecified flaw exists that allows an authenticated, remote attacker with read-only administrator access to corrupt the host database. This vulnerability is only applicable if RBAC is enabled. (CVE-2017-5572) - An unspecified flaw exists that allows an authenticated, remote attacker with read-only administration access to cancel the tasks of other administrators. This vulnerability is only applicable if RBAC is enabled. (CVE-2017-5573)
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 96928
    published 2017-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96928
    title Citrix XenServer Multiple Vulnerabilities (CTX220112)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-F5F5EC7B6B.NASL
    description Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-01-30
    plugin id 89461
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89461
    title Fedora 23 : ntp-4.2.6p5-34.fc23 (2015-f5f5ec7b6b)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-335.NASL
    description Several security issues where found in ntp : CVE-2015-5146 A flaw was found in the way ntpd processed certain remote configuration packets. An attacker could use a specially crafted package to cause ntpd to crash if : - ntpd enabled remote configuration - The attacker had the knowledge of the configuration password - The attacker had access to a computer entrusted to perform remote configuration Note that remote configuration is disabled by default in NTP. CVE-2015-5194 It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. CVE-2015-5195 It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command CVE-2015-5219 It was discovered that sntp program would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double. CVE-2015-5300 It was found that ntpd did not correctly implement the -g option: Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the threshold is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options. ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc. This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow. CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. CVE-2015-7701 A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. CVE-2015-7703 Miroslav Lichvár of Red Hat found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example: ntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' In Debian ntpd is configured to drop root privileges, which limits the impact of this issue. CVE-2015-7704 When ntpd as an NTP client receives a Kiss-of-Death (KoD) packet from the server to reduce its polling rate, it doesn't check if the originate timestamp in the reply matches the transmit timestamp from its request. An off-path attacker can send a crafted KoD packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server. CVE-2015-7850 An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol. A specially crafted configuration file could cause an endless loop resulting in a denial of service. An attacker could provide a the malicious configuration file to trigger this vulnerability. CVE-2015-7851 A potential path traversal vulnerability exists in the config file saving of ntpd on VMS. A specially crafted path could cause a path traversal potentially resulting in files being overwritten. An attacker could provide a malicious path to trigger this vulnerability. This issue does not affect Debian. CVE-2015-7852 A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. CVE-2015-7855 It was found that NTP's decodenetnum() would abort with an assertion failure when processing a mode 6 or mode 7 packet containing an unusually long data value where a network address was expected. This could allow an authenticated attacker to crash ntpd. CVE-2015-7871 An error handling logic error exists within ntpd that manifests due to improper error condition handling associated with certain crypto-NAK packets. An unauthenticated, off­-path attacker can force ntpd processes on targeted servers to peer with time sources of the attacker's choosing by transmitting symmetric active crypto­-NAK packets to ntpd. This attack bypasses the authentication typically required to establish a peer association and allows an attacker to make arbitrary changes to system time. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 86640
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86640
    title Debian DLA-335-1 : ntp security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1930.NASL
    description Updated ntp packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300) Red Hat would like to thank Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg of Boston University for reporting these issues. All ntp users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86614
    published 2015-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86614
    title RHEL 6 / 7 : ntp (RHSA-2015:1930)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1175-1.NASL
    description ntp was updated to version 4.2.8p6 to fix 12 security issues. These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90820
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90820
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0082.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550) - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138) - fix crash with reslist command (CVE-2015-7977, CVE-2015-7978) - fix crash with invalid logconfig command (CVE-2015-5194) - fix crash when referencing disabled statistic type (CVE-2015-5195) - don't hang in sntp with crafted reply (CVE-2015-5219) - don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) - fix memory leak with autokey (CVE-2015-7701) - don't allow setting driftfile and pidfile remotely (CVE-2015-7703) - don't crash in ntpq with crafted packet (CVE-2015-7852) - add option to set Differentiated Services Code Point (DSCP) (#1228314) - extend rawstats log (#1242895) - fix resetting of leap status (#1243034) - report clock state changes related to leap seconds (#1242937) - allow -4/-6 on restrict lines with mask (#1232146) - retry joining multicast groups (#1288534) - explain synchronised state in ntpstat man page (#1286969) - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704) - allow only one step larger than panic threshold with -g (CVE-2015-5300)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91419
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91419
    title OracleVM 3.3 / 3.4 : ntp (OVMSA-2016-0082)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-054-04.NASL
    description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 88912
    published 2016-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88912
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3388.NASL
    description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : - CVE-2015-5146 A flaw was found in the way ntpd processed certain remote configuration packets. An attacker could use a specially crafted package to cause ntpd to crash if : - ntpd enabled remote configuration - The attacker had the knowledge of the configuration password - The attacker had access to a computer entrusted to perform remote configuration Note that remote configuration is disabled by default in NTP. - CVE-2015-5194 It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. - CVE-2015-5195 It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command. - CVE-2015-5219 It was discovered that sntp program would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double. - CVE-2015-5300 It was found that ntpd did not correctly implement the -g option : Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the threshold is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options. ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc. This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow. - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. - CVE-2015-7701 A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. - CVE-2015-7703 Miroslav Lichvar of Red Hat found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example : ntpq -c ':config pidfile /tmp/ntp.pid'ntpq -c ':config driftfile /tmp/ntp.drift' In Debian ntpd is configured to drop root privileges, which limits the impact of this issue. - CVE-2015-7704 If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet from the server to reduce its polling rate, it doesn't check if the originate timestamp in the reply matches the transmit timestamp from its request. An off-path attacker can send a crafted KoD packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server. - CVE-2015-7850 An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol. A specially crafted configuration file could cause an endless loop resulting in a denial of service. An attacker could provide a malicious configuration file to trigger this vulnerability. - CVE-2015-7852 A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. - CVE-2015-7855 It was found that NTP's decodenetnum() would abort with an assertion failure when processing a mode 6 or mode 7 packet containing an unusually long data value where a network address was expected. This could allow an authenticated attacker to crash ntpd. - CVE-2015-7871 An error handling logic error exists within ntpd that manifests due to improper error condition handling associated with certain crypto-NAK packets. An unauthenticated, off-path attacker can force ntpd processes on targeted servers to peer with time sources of the attacker's choosing by transmitting symmetric active crypto-NAK packets to ntpd. This attack bypasses the authentication typically required to establish a peer association and allows an attacker to make arbitrary changes to system time.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86682
    published 2015-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86682
    title Debian DSA-3388-1 : ntp - security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1930.NASL
    description From Red Hat Security Advisory 2015:1930 : Updated ntp packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300) Red Hat would like to thank Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg of Boston University for reporting these issues. All ntp users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 86612
    published 2015-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86612
    title Oracle Linux 6 / 7 : ntp (ELSA-2015-1930)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-578.NASL
    description ntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). These non-security issues were fixed : - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 91111
    published 2016-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91111
    title openSUSE Security Update : ntp (openSUSE-2016-578)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4EAE4F46B5CE11E58A2BD050996490D0.NASL
    description Network Time Foundation reports : NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016 : NtpBug2956: Small-step/Big-step CVE-2015-5300
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87790
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87790
    title FreeBSD : ntp -- denial of service vulnerability (4eae4f46-b5ce-11e5-8a2b-d050996490d0)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151026_NTP_ON_SL6_X.NASL
    description It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300) After installing the update, the ntpd daemon will restart automatically.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 86615
    published 2015-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86615
    title Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-34BC10A2C8.NASL
    description Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158 ---- Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 89510
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89510
    title Fedora 22 : ntp-4.2.6p5-36.fc22 (2016-34bc10a2c8)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-607.NASL
    description It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300) It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. (CVE-2015-7691 , CVE-2015-7692 , CVE-2015-7702) A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. (CVE-2015-7852) A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86638
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86638
    title Amazon Linux AMI : ntp (ALAS-2015-607)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_ADVISORY5.NASL
    description A version of the Network Time Protocol (NTP) package installed on the remote AIX host is affected by an integrity vulnerability due to an improperly implemented threshold limitation for the '-g' option. A man-in-the-middle attacker can exploit this to intercept the NTP traffic and return arbitrary date and time values to the user.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 89672
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89672
    title AIX NTP Advisory : ntp_advisory5 (IV81129) (IV81130)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1177-1.NASL
    description ntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90821
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90821
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1930.NASL
    description Updated ntp packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300) Red Hat would like to thank Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg of Boston University for reporting these issues. All ntp users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86611
    published 2015-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86611
    title CentOS 6 / 7 : ntp (CESA-2015:1930)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-77BFBC1BCD.NASL
    description Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701 ---- Security fix for CVE-2015-5146, CVE-2015-5194, CVE-2015-5219, CVE-2015-5195, CVE-2015-5196 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-01-30
    plugin id 89288
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89288
    title Fedora 21 : ntp-4.2.6p5-34.fc21 (2015-77bfbc1bcd)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL10600056.NASL
    description It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. (CVE-2015-5300)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88917
    published 2016-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88917
    title F5 Networks BIG-IP : NTP vulnerability (K10600056)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V4_ADVISORY5.NASL
    description The remote AIX host has a version of Network Time Protocol (NTP) installed that has a vulnerability when ntp is started with the -g option. A remote, unauthenticated attacker could send crafted data to ntp which would enable the time to be changed, enabling further attacks.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 102323
    published 2017-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102323
    title AIX NTP v4 Advisory : ntp_advisory5.asc (IV81129) (IV81130)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1912-1.NASL
    description NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton' key (bsc#962960). CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). CVE-2015-5300: MITM attacker can force ntpd to make a step larger than the panic threshold (bsc#951629). CVE-2015-5194: Crash with crafted logconfig configuration command (bsc#943218). CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#952611). CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#952611). CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#952611). CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#952611). CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#952611). CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#952611). CVE-2015-7850: Clients that receive a KoD now validate the origin timestamp field (bsc#952611). CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611). CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611). CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611). CVE-2015-7703: Configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#943221). CVE-2015-7704: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). CVE-2015-7691: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-7692: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-7702: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-1798: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC field has a nonzero length, which made it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (bsc#924202). CVE-2015-1799: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP performed state-variable updates upon receiving certain invalid packets, which made it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (bsc#924202). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93186
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93186
    title SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
redhat via4
advisories
rhsa
id RHSA-2015:1930
rpms
  • ntp-0:4.2.6p5-5.el6_7.2
  • ntp-doc-0:4.2.6p5-5.el6_7.2
  • ntp-perl-0:4.2.6p5-5.el6_7.2
  • ntpdate-0:4.2.6p5-5.el6_7.2
  • ntp-0:4.2.6p5-19.el7_1.3
  • ntp-doc-0:4.2.6p5-19.el7_1.3
  • ntp-perl-0:4.2.6p5-19.el7_1.3
  • ntpdate-0:4.2.6p5-19.el7_1.3
  • sntp-0:4.2.6p5-19.el7_1.3
refmap via4
bid 77312
confirm
debian DSA-3388
fedora
  • FEDORA-2015-77bfbc1bcd
  • FEDORA-2015-f5f5ec7b6b
  • FEDORA-2016-34bc10a2c8
freebsd FreeBSD-SA-16:02
misc
mlist [slackware-security] 20160223 ntp (SSA:2016-054-04)
sectrack 1034670
suse
  • SUSE-SU:2016:1175
  • SUSE-SU:2016:1177
  • SUSE-SU:2016:1247
  • SUSE-SU:2016:1311
  • SUSE-SU:2016:1912
  • SUSE-SU:2016:2094
  • openSUSE-SU:2016:1292
  • openSUSE-SU:2016:1423
ubuntu USN-2783-1
Last major update 21-07-2017 - 10:29
Published 21-07-2017 - 10:29
Last modified 30-10-2018 - 12:27
Back to Top